02-Firewall Policies
[Object Usage] If you select a firewall policy, you can use the Edit, View List, and View Properties tabs. ____ List: Allows you to view selected objects in its category.
View
[Object Usage] If you select a firewall policy, you can use the Edit, View List, and View Properties tabs. • ____ Properties: Shows where the object is used in that configuration.
View
[Policy ID] An important factor in how firewall policies work is the concept of precedence of order, or, if you prefer a more recognizable term, "_____ come, first served".
first
[Components and Policy Types] Policy Types: -IPv4, IPv6 -Virtual ____ pair (IPv4 & IPv6) -Proxy -Multicast -Local in Policy (Origin and destination is FortiGate itself) -DoS (IPv4 & IPv6) -Traffic Shaping
wire
[Traffic Shapers] FortiGate allows you to create three types of traffic shaping policies: • ___________ control shaping: bandwidth management by application
Application
[Object Usage] If you select a firewall policy, you can use the Edit, View List, and View Properties tabs. •____: Allows you to edit the selected object.
Edit
[Policy ID] Are Policy IDs identifiers and displayed on the GUI (True/False)?
IDs
[Traffic Shapers] FortiGate allows you to create three types of traffic shaping policies: • Per-__ shaping: bandwidth management of user IP addresses
IP
[Components and Policy Types] Objects used by policies: -Interface and interface groups -Address, user, device, and Internet service objects -Service definitions -Schedules -___ Rules -Security Profiles
NAT
[Traffic Shapers] FortiGate allows you to create three types of traffic shaping policies: • ______ policy shaping: bandwidth management of security policies
Shared
Is the option to deny session in the CLI, called 'ses-denied-traffic' (True/False)? You can also set the duration for block sessions. This determines how long a session will be kept in the session table by setting 'block- session-timer' in the CLI. NOTE — By default, it is set to 30 seconds. If the GUI option Generate Logs when Session Starts is not displayed, this means that your FortiGate device does not have internal storage. This option is in the CLI, regardless of internal storage, and is called 'set logtraffic-start enable'.
True
[Configuring Firewall Policies] Are there many other options that you can configure in the firewall policy, such as firewall and network options, security profiles, logging options, and enabling or disabling a policy (True/False)?
True
[Configuring Firewall Policies] Can you select Internet Services as Source (True/False)? NOTE — Internet service is a combination of one or more addresses and one or more services associated with a service found on the Internet such as an update service for software.
True
[Configuring Firewall Policies] Does the FortiGate flat GUI view allows you to (True/False)? : -Select Interfaces and other objects by clicking -dragging and dropping on the list populated on the right side.
True
[Configuring Firewall Policies] When creating firewall objects or policies, is a universally unique identified (UUID) attribute added so that logs can record these UUID and improve functionality when integrating with FortiManager or FortiAnalyzer (True/False)?
True
[Configuring Firewall Policies] When creating firewall policies, remember that FortiGate is a stateful firewall. As a result, do you need to create only one firewall policy that matches the direction of the traffic that initiates the session (True/False)? FortiGate will automatically remember the source-destination pair and allow replies.
True
[Configuring Firewall Policies] When you configure a new firewall policy on the GUI, you must specify a unique name for the firewall policy because it is enabled by default, is it optional in the CLI (True/False)? NOTE — If a policy is configured without a policy name on the CLI and you modify that existing policy on the GUI, you must specify a unique name.
True
[Device Identification — Agentless vs. Agent] Does Agent-based use FortiClient (True/False)? NOTE — FortiClient sends information to FortiGate, and the device is tracked by its unique FortiClient user ID (UID).
True
[Device Identification — Agentless vs. Agent] Does Agentless use traffic from the device (True/False)? NOTE — Devices are indexed by their MAC address and there are various ways to identify devices, such as: -HTTP User-Agent header -TCP fingerprint -MAC address OUI -DHCP -Microsoft Windows browser service (MWBS) -SIP user agent -Link Layer Discovery Protocol (LLDP) -Simple Service Device Protocol (SSDP) -QUIC -FortiOS- VM --FortiOS- VM vender ID in IKE messages --FortiOS- VM vender ID in FortiGuard web filter and spam filter requests NOTE — The Agentless device identification is only effective if FortiGate and the workstations are on directly connected network segments, where traffic is sent directly to the FortiGate and there is no intermediate router or layer 3 device between FortiGate and workstations.
True
[Device Identification — Agentless vs. Agent] Does FortiGate use a first come, first served approach to determine the device identity (True/False)? NOTE — For example, if a device is detected by the HTTP user agent, FortiGate updates its device table with the detected MAC address and scanning stops as soon as the type has been determined for that MAC address.
True
[Policy List — Interface Pair View and By Sequence] Usually, will the list appear in Interface Pair View — so each section contains policies for that ingress-egress pair (True/False)?
True
[Real-time Policy Status] In FortiOS version 6.0 when you edit the policy, will policy information be visible (True/False)? NOTE — This feature is very useful if admin wanted to check the policy usage such as: ID Last Used First Used Hit Count Active Sessions Total Bytes Current Bandwidth.
True
[Scheduling] Can Schedules add a time element to the policy (True/False)? For example, a policy allowing backup software may activate at night, or a remote address may be allowed for testing purposes, and a schedule provides a test window.
True
[Scheduling] Can Schedules be configured and use a 24-hour time clock (True/False)?
True
[Scheduling] There are a few configuration settings worth mentioning: • One-time: Should the start date and time be earlier than the stop date and time (True/False)? NOTE — You can also enable the Pre-expiration event log, which will generate an event log N number of days before the schedule expires, where N can be from 1 to 100 days.
True
[Scheduling] There are a few configuration settings worth mentioning: • Recurring: If All Day is enabled, will traffic be allowed for 24 hours for the days selected (True/False)? NOTE — When configuring recurring schedules, if the stop time is set earlier than the start time, the stop time will occur the next day. For example, if you select Sunday as the day, 10:00 as the start time, and 09:00 as the stop time, the schedule will stop on Monday at 09:00. If the start and stop time are identical, the schedule will run for 24 hours.
True
[Security Profiles] One of the most important features that a firewall policy can apply is security profiles, such as IPS and antivirus. Does a security profile inspect each packet in the traffic flow, where the session has already been conditionally accepted by the firewall policy (True/False)?
True
[Security Profiles] When inspecting traffic, can FortiGate use one of two methods (True/False)?: -flow-based -proxy-based NOTE — Different security features are supported by each type.
True
[Selecting Multiple Interfaces or Any Interface] By default, can you select only a single interface as the incoming interface and a single interface as the outgoing interface (True/False)?
True
[Selecting Multiple Interfaces or Any Interface] Can you also select multiple interfaces, or select the any option, if you configure a firewall policy on the CLI, regardless of the default GUI setting (True/False)?
True
[Device Identification — Agentless vs. Agent] Are there two device identification techniques: with an agent and without an agent (agentless) (True/False)?
True
[Logging] Can you change the setting to All Sessions, which generates logs for all sessions (True/False)?
True
[Device Identification: Device List (GUI and CLI)] Are detected devices saved to FortiGate's flash drive for 28 days (True/False)? Therefore, on restart, FortiGate knows that devices have already been identified, and does not have to recategorize each device. However, the device information will expire and be removed from the device inventory table if no traffic is seen from that device for 28 days. This action can be altered on a per VDOM basis using FortiGate CLI commands. NOTE — The user displayed in the device information is just a tag; it cannot be used as a means of identification for an authentication policy.
True
[Device Identification: Device List (GUI and CLI)] Are devices indexed by MAC and identified from multiple sources (True/False)? NOTE — The CLI command shows a more detailed listing than the Device Inventory page, including the detection method. Devices are detected by source as HTTP user agent and FortiClient.
True
[Device Identification: Device List (GUI and CLI)] The Device Inventory shows the list of detected devices. You can right-click any detected device to edit, delete, or view details in FortiView. Does the details list include session, destination, policies, and more (True/False)?
True
[Device Identification] If you enable Source Device type in the firewall policy, does FortiGate enable Device Detection on the source interface(s) of the policy (True/False)? NOTE — By default, FortiGate uses Device Detection (passive scanning) which runs the scans based on the arrival of traffic.
True
[Device Identification] What if the FortiGate is unable to detect the device? Can you enable Active Scanning, so it scans for device type, OS, and OS version (True/False)? NOTE — If passive detection fails to detect the device type for more than five minutes, active scanning is triggered and scans every three minutes. If active scanning fails to detect the device type, the next scan occurs 10 minutes later. If that scan fails, the next occurs 15 minutes later. FortiGate uses an (N+1)*5 minutes algorithm for scanning, where N is the number of scans that have been done. In other words, every 5 minutes.
True
[Endpoint Control] Can FortiGate control FortiClient settings through the FortiClient profile and registration (True/False)?
True
[Endpoint Control] Does the Licenses widget on the FortiGate GUI dashboard show the total number of registered devices and the total number of devices available for registration (True/False)? NOTE — Windows and Mac OS X FortiClient installers are also available from this dashboard widget.
True
[Endpoint Control] In order for FortiClient to register with FortiGate, does FortiTelemetry need to be enabled on the interface(s) facing the endpoints on the network because it listens for the connection from the devices that have FortiClient installed (True/False)?
True
[Endpoint Control] Is FortiTelemetry a TCP protocol used for communication between FortiClient and FortiGate, which operates on TCP port 8013 (True/False)?
True
[Endpoint Control] There are other configuration settings worth mentioning: • Enforce FortiClient Compliance Check: If enabled, does it also enable Device Detection (True/False)? NOTE — Noncompliant devices are blocked and redirected to a web portal that explains the noncompliance and provides a link to download FortiClient. You can exempt devices from FortiClient enforcement using source, destination, or services.
True
[Filter Column] Can you click on Policy ID column filter icon to search policies based on policy ID numbers or you can click on Name filter icon to search policies based on policy name, and so on (True/False)?
True
[Filter Column] In FortiOS version 6.0, can you filter firewall policies through GUI using filters on each column (True/False)?
True
[Firewall Policy — Fine Tuning] Can you right-click any firewall policy to see different menu options to edit or modify the policy (True/False)?
True
[Firewall Policy — Fine Tuning] Can you right-click the Object to provide you with options to modify an object, and show a reference for that object (True/False)?
True
[Firewall Policy — Fine Tuning] If you clicking Edit in CLI does it open the CLI console for the selected firewall policy or object (True/False)? NOTE — It shows the configured settings in the CLI and can modify the selected firewall policy or object directly in the CLI Console.
True
[How Are Policy Matches Determined?] When a packet arrives, how does FortiGate find a matching policy? Each policy has match criteria, can can define the following objects (True/False)? • Ingress and Egress Interfaces (Incoming and Outgoing Interfaces) • Source: IP address, user, device ID • Destination: IP address or Internet Services • Network service(s): IP protocol and port number • Schedule: applies during configured times
True
[How Are Policy Matches Determined?] When the traffic matches a firewall policy, FortiGate applies the configured action in the firewall policy. • If the Action is set to ACCEPT, will FortiGate apply other configured settings for packet processing, such as antivirus scanning, web filtering, or source NAT (True/False)?
True
[How Are Policy Matches Determined?] When the traffic matches a firewall policy, FortiGate applies the configured action in the firewall policy. • If the Action is set to DENY, will FortiGate drop the session (True/False)?
True
[Internet Services] Can Internet Service Database be selected as Source or Destination in the firewall policy (True/False)?
True
[Internet Services] Can you use Internet Service as destination in a firewall policy, which contains all the IP addresses, ports and protocols used by that service (True/False)? NOTE — For the same reason, you cannot mix regular address objects with Internet Service Database (ISDB) objects, and you cannot select Services on a firewall policy. The ISDB objects already have services information which is hard-coded.
True
[Internet Services] Compared with address objects, which you need to check frequently to make sure that none of the IP addresses have changed or appropriate ports are allowed, does Internet services help make this type of deployment easier and simpler (True/False)?
True
[Internet Services] Is Internet Service a database that contains a list of IP addresses, IP protocols, and port numbers used by the most common Internet services (True/False)? NOTE — FortiGate periodically downloads the newest version of this database from FortiGuard.
True
[Learning Mode] Can you view the comprehensive report that results from Learning Mode on the Learning Reports page (True/False)? NOTE — This report uses all of the learning logs, across all traffic and security vectors, to generate a complete summary report for recommendation purposes. This enables users to easily implement a monitor than enforce process.
True
[Learning Mode] When you set Action to LEARN, does it enable Device Detection on the source interface(s) of the policy (True/False)? The firewall policy automatically applies default static profiles and passes traffic to security profiles for Monitoring. It also enables logging with full capabilities, which are tagged as Learn in the logs.
True
[Logging] If you enable Generate Logs when Session Starts, does FortiGate create a traffic log when the session begins (True/False)? FortiGate also generates a second log for the same session when it is closed. NOTE — But remember that increasing logging decreases performance, so use it only when necessary.
True
[Logging] If you have enabled logging in the policy, FortiGate will generate traffic logs after a firewall policy closes an IP session. By default, is Log Allowed Traffic set to Security Events and generates logs for only the applied security profiles in the firewall policy (True/False)?
True
[Logging] To reduce the amount of log messages generated and improve performance, can you enable a session table entry of dropped traffic (True/False)? NOTE — This creates the denied session in the session table and, if the session is denied, all packets of that session are also denied
True
[Matching Policy by Destination] Can you can use address objects or ISDB objects as destinations in the firewall policy (True/False)? The address object may be: -Host Name -IP subnet, or range -FQDN (make sure that you've configured your FortiGate with DNS servers) -Geographic addresses (groups or ranges of addresses allocated to a country— updated through FortiGuard) NOTE — Why is there is no option to select user or devices? The user identification or device identification is determined at the ingress interface, and packets are forwarded only to the egress interface after user or device authentication is successful.
True
[Matching Policy by Destination] Does FortiGate also checks the destination address for a match (True/False)?
True
[Matching Policy by Source] Can you also use Internet service (ISDB) objects as a source in the firewall policy (True/False)? NOTE — There is an either/or relationship between Internet Service objects and source address objects in firewall policies. This means either you can select source address or an Internet service, not both.
True
[Matching by Service] Are Services grouped together to simplify administration, so you can view the services By Category or Alphabetically (True/False)? NOTE — If the predefined services don't meet your organizational needs, you can create one or more new services, service groups, and categories.
True
[Matching by Service] Does Services determine matching transmission protocol (UDP, TCP, and so on) and port number (True/False)?
True
[Matching by Service] Is the predefined service object named HTTP TCP destination port 80 and the predefined service object named HTTPS is TCP destination port 443 (True/False)? However, the source ports are ephemeral and, therefore, not defined.
True
[Matching by Source] Can you also select ISDB objects as source in the firewall policy (True/False)?
True
[Matching by Source] Can you refine your definition of the source address by also selecting a user, a group, or a specific device (True/False)? NOTE — If your organization allows bring your own device (BYOD), then a combination of all three provides a much more granular match, for increased security.
True
[Matching by Source] In each firewall policy, must you select a source address object (True/False)?
True
[Matching by Source] Make sure FortiGate is configured properly for DNS settings. When selecting a fully qualified domain name (FQDN) as the source address, must it be resolved by DNS and cached in FortiGate (True/False)?
True
[Naming Rules and Restrictions] Do most firewall object name fields accept up to 35 characters (True/False)?
True
[Naming Rules and Restrictions] Supported Characters in the firewall object name: -Numbers: 0 to 9 -Letters: A to Z (uppercase and lowercase) -Specials Characters: hypen - and underscore _ -Spaces — Should you avoid using spaces, it can cause issues when trying to use CLI (True/False)?
True
[Object Usage] What if you want to delete an object? If an object is being used, you can't delete it (True/False)?
True
[Policy ID] Does FortiGate automatically assign a policy ID when a new firewall policy is created on the GUI (True/False)?
True
[Policy ID] Does the policy ID never change, even if the rule is moved higher or lower in the sequence (True/False)?
True
[Policy List — Interface Pair View and By Sequence] Alternatively, Can you view your policies as a single, comprehensive list by selecting By Sequence at the top of the page (True/False)?
True
[Policy List — Interface Pair View and By Sequence] In some cases, you won't have a choice of which view is used. If you use Multiple Source or Destination Interfaces, or the ANY interface in a firewall policy, policies cannot be separated into sections by interface pairs-some would be triplets or more. So instead, are policies then always displayed in a single list (By Sequence) (True/False)?
True
[Policy List — Interface Pair View and By Sequence] To help you remember the use of each interface, can you give them aliases by editing the interface on the Network page (True/False)? For example, you could call port2 ISP1. This can help to make your list of policies easier to understand
True
[Selecting Multiple Interfaces or Any Interface] The option to select multiple interfaces, or any interface in a firewall policy, is disabled on the GUI. However, can you enable the Multiple Interface Policies option on the Feature Visibility page to disable the single interface restriction (True/False)?
True
[Selecting Multiple Interfaces or Any Interface] When you choose the any interface option, you cannot select multiple interfaces for that interface (True/False)? NOTE — If ANY is selected as the outgoing interface, you cannot add any additional interfaces, as any interface implies that ALL interfaces have already been selected.
True
[Simplify — Groups of Addresses or Services] Also, can you consolidate source addresses in source groups (True/False)?
True
[Simplify — Groups of Addresses or Services] Can you reference that group in the firewall policy, instead of selecting multiple objects each time or making multiple policies (True/False)?
True
[Simplify — Groups of Addresses or Services] To simplify administration, can you group service and address objects (True/False)?
True
[Simplify — Interfaces and Zones] An interface in a Zone cannot be referenced individually, and if you need to add the interface to the zone, do you have to remove all references to that interface (for example, firewall policies, firewall addresses, and so on) (True/False)? If you think that you might need to reference interfaces individually, you should set multiple source and destination interfaces in the firewall policy, instead of using zones.
True
[Simplify — Interfaces and Zones] Packets arrive on an incoming, or ingress, interface. Does routing determines the outgoing, or egress, interface (True/False)?
True
[Simplify — Interfaces and Zones] To match policies with traffic, do you have have to select one (or more) interface or any interface (True/False)?
True
[Simplify — Interfaces and Zones] To simplify policy configuration, can you group interfaces into logical zones (True/False)?
True
[Source — User Identification] If a user is added as part of the source, does the FortiGate need to verify the user before allowing or denying access based on the firewall policy (True/False)? There are different ways that a user can authenticate. For local users, the username and password is configured locally on FortiGate. When a local user authenticates, the credentials that they enter must match the username and password configured locally on FortiGate.
True
[Source — User Identification] There are different ways that a user can authenticate. Is a Fortinet single sign-on (FSSO) user's information retrieved from the domain controller (True/False)? NOTE — Access is granted based on the group information on FortiGate.
True
[Source — User Identification] There are different ways that a user can authenticate. For a remote user (for example, LDAP or RADIUS), does FortiGate receive the username and password from the remote user and pass this information to the authentication server (True/False)? NOTE — The authentication server verifies the user login credentials and updates FortiGate. After FortiGate receives that information, it grants access to the network based on the firewall policy.
True
[Traffic Shapers] Does a Shared Shaper apply a total bandwidth to all traffic using that shaper (True/False)? The scope can be per policy or for all policies referencing that shaper. FortiGate can count the packet rates of ingress and egress to police traffic.
True
[Traffic Shapers] There are two types of traffic shapers which can be configured (True/False)?: -shared -per IP
True
[Traffic Shapers] When creating Traffic Shaping policies, should you ensure that the matching criteria is the same as the firewall policies you want to apply shaping to (True/False)? NOTE — These apply equally to TCP and UDP, and UDP protocols may not recover as gracefully from packet loss.
True
[What are Firewall Policies?] Do policies define how to process traffic matches them (True/False)?
True
[What are Firewall Policies?] Do policies define which traffic matches them (True/False)?
True
[What are Firewall Policies?] FortiGate looks for the matching firewall policy from top to bottom and, if a match is found, is the traffic processed based on the firewall policy (True/False)?
True
[What are Firewall Policies?] If no match is found, is the traffic dropped by the default Implicit Deny firewall policy (True/False)?
True
[What are Firewall Policies?] Will Network Address Translation (NAT) be applied Authentication required? Firewall policies also determine the answers to these questions. After processing is finished, does FortiGate forward the packet toward its destination (True/False)?
True
